Add deployment config

Emyrk · Emyrk · commit 659800c1f8fc · 2023-04-07T13:35:11.000-05:00
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -171,9 +171,11 @@ func New(options *Options) *API {
 		options = &Options{}
 	}
 
-	rbac.ReloadBuiltinRoles(&rbac.RoleOptions{
-		NoOwnerWorkspaceExec: true,
-	})
+	if options.DeploymentValues.DisableOwnerWorkspaceExec {
+		rbac.ReloadBuiltinRoles(&rbac.RoleOptions{
+			NoOwnerWorkspaceExec: true,
+		})
+	}
 
 	if options.Authorizer == nil {
 		options.Authorizer = rbac.NewCachingAuthorizer(options.PrometheusRegistry)
diff --git a/coderd/coderdtest/coderdtest.go b/coderd/coderdtest/coderdtest.go
@@ -203,6 +203,8 @@ func NewOptions(t *testing.T, options *Options) (func(http.Handler), context.Can
 	if options.DeploymentValues == nil {
 		options.DeploymentValues = DeploymentValues(t)
 	}
+	// This value is not safe to run in parallel. Force it to be false.
+	options.DeploymentValues.DisableOwnerWorkspaceExec = false
 
 	// If no ratelimits are set, disable all rate limiting for tests.
 	if options.APIRateLimit == 0 {
diff --git a/coderd/rbac/object.go b/coderd/rbac/object.go
@@ -136,11 +136,6 @@ var (
 		Type: "organization_member",
 	}
 
-	// ResourceWildcard represents all resource types
-	ResourceWildcard = Object{
-		Type: WildcardSymbol,
-	}
-
 	// ResourceLicense is the license in the 'licenses' table.
 	// ResourceLicense is site wide.
 	// 	create/delete = add or remove license from site.
diff --git a/coderd/rbac/roles.go b/coderd/rbac/roles.go
@@ -80,10 +80,6 @@ func allPermsExcept(excepts ...Object) []Permission {
 		if skip[r.Type] {
 			continue
 		}
-		// Do not include the wildcard
-		if r.Type == ResourceWildcard.Type {
-			continue
-		}
 		// Owners can do everything else
 		perms = append(perms, Permission{
 			Negate:       false,
@@ -149,10 +145,8 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 					// All users can see the provisioner daemons.
 					ResourceProvisionerDaemon.Type: {ActionRead},
 				}),
-				Org: map[string][]Permission{},
-				User: Permissions(map[string][]Action{
-					ResourceWildcard.Type: {WildcardSymbol},
-				}),
+				Org:  map[string][]Permission{},
+				User: allPermsExcept(),
 			}
 		},
 
diff --git a/codersdk/deployment.go b/codersdk/deployment.go
@@ -162,6 +162,7 @@ type DeploymentValues struct {
 	GitAuthProviders                clibase.Struct[[]GitAuthConfig] `json:"git_auth,omitempty" typescript:",notnull"`
 	SSHConfig                       SSHConfig                       `json:"config_ssh,omitempty" typescript:",notnull"`
 	WgtunnelHost                    clibase.String                  `json:"wgtunnel_host,omitempty" typescript:",notnull"`
+	DisableOwnerWorkspaceExec       clibase.Bool                    `json:"disable_owner_workspace_exec,omitempty" typescript:",notnull"`
 
 	Config      clibase.String `json:"config,omitempty" typescript:",notnull"`
 	WriteConfig clibase.Bool   `json:"write_config,omitempty" typescript:",notnull"`
@@ -1302,6 +1303,15 @@ when required by your organization's security policy.`,
 			Value: &c.DisablePathApps,
 			YAML:  "disablePathApps",
 		},
+		{
+			Name:        "Disable Owner Workspace Execution",
+			Description: "Remove the permission for the 'owner' role to have workspace execution on all workspaces. This prevents the 'owner' from ssh, apps, and terminal access based on the 'owner' role. They still have their user permissions to access their own workspaces.",
+			Flag:        "disable-owner-workspace-exec",
+			Env:         "CODER_DISABLE_OWNER_WORKSPACE_EXEC",
+
+			Value: &c.DisableOwnerWorkspaceExec,
+			YAML:  "disableOwnerWorkspaceExec",
+		},
 		{
 			Name:        "Session Duration",
 			Description: "The token expiry duration for browser sessions. Sessions may last longer if they are actively making requests, but this functionality can be disabled via --disable-session-expiry-refresh.",

Original file line number	Diff line number	Diff line change
`@@ -203,6 +203,8 @@ func NewOptions(t testing.T, options Options) (func(http.Handler), context.Can`
`203`	`203`	`if options.DeploymentValues == nil {`
`204`	`204`	`options.DeploymentValues = DeploymentValues(t)`
`205`	`205`	`}`
	`206`	`+ // This value is not safe to run in parallel. Force it to be false.`
	`207`	`+ options.DeploymentValues.DisableOwnerWorkspaceExec = false`
`206`	`208`
`207`	`209`	`// If no ratelimits are set, disable all rate limiting for tests.`
`208`	`210`	`if options.APIRateLimit == 0 {`